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© A data backup copying session on a data pro- 
cessing system is secured responsive to initiation of 
the data backup session by an application executing 
on a processing unit by generating a unique iden- 
tifier for the data backup session. Thereafter, all 
member paths of a group of paths designated by the 
processing unit for communication between itself 
and the first storage subsystem are identified and 
associated with the data backup session. Access to 
the session is thereafter allowed only along a mem- 
ber path of the group of paths associated with the 
data backup session. The system and method fur- 
ther provide for fault recovery and protection against 
excessive demand on storage control unit memory. 
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This invention relates in general to methods 
and systems for maintaining continued availability 
of datasets in external storage associated with ac- 
cessing data processing systems, and in particular 
the present invention relates to backup copying of 
records in external storage concurrent with a dra- 
matically shortened suspension of data processing 
system application execution occasioned by such 
copying. Still more particularly, the present inven- 
tion relates to a method and system for providing 
backup session secured to a single one of the 
plurality of accessing data processing systems. 

A modern data processing system must be 
prepared to recover, not only from corruptions of 
stored data which occur as a result of noise bursts, 
software bugs, media defects, and write path er- 
rors, but also from global events, such as data' 
processing system power failure. The most com- 
mon technique of ensuring the continued availabil- 
ity of data within a data processing system is to 
create one or more copies of selected datasets 
within a data processing system and store those 
copies in a nonvolatile environment. This so-called 
"backup" process occurs within state-of-the-art ex- 
ternal storage systems in modern data processing 
systems. 

Backup policies are implemented as a matter of 
scheduling. Backup policies have a space and time 
dimension which is exemplified by a range of data- 
sets and by the frequency of backup occurrence. A 
FULL backup requires the backup of an entire 
range of a dataset, whether individual portions of 
that dataset have been updated or not. An IN- 
CREMENTAL backup copies only that portion of 
the dataset which has been updated since a pre- 
vious backup, either full or incremental. The bac- 
kup copy thus created represents a consistent view 
of the data within the dataset as of the time the 
copy was created. 

Of course, those skilled in the art will appreciate 
that as a result of the process described above, the 
higher the backup frequency, the more nearly the 
backup copy will mirror the current state of data 
within a dataset. In view of the large volumes of 
data maintained within a typical state-of-the-art data 
processing system backing up that data is not a 
trivial operation. Thus, the opportunity cost of back- 
ing up data within a dataset may be quite high on a 
large multiprocessing, multiprogramming facility, 
relative to other types of processing. 
Applications executed within a data processing 
system are typically executed in either a batch 
(streamed) or interactive (transactional) mode. In a 
batch mode, usually one application at a time ex- 
ecutes without interruption. Interactive mode is 
characterized by interrupt driven multiplicity of ap- 
plications or transactions. 

When a data processing system is in the process 



of backing up data in either a streamed or batch 
mode system, each process, task or application 
within the data processing system is affected. That 
is, the processes supporting streamed or batch 

5 mode operations are suspended for the duration of 
the copying. Those skilled in the art will recognize 
that this event is typically referred to as a "backup 
window." In contrast to batch mode operations, log 
based or transaction management applications are 

70 processed in the interactive mode. Such transac- 
tion management applications eliminate the 
"backup window" by concurrently updating an on- 
line dataset and logging the change. However, this 
type of backup copying results in a consistency 

75 described as "fuzzy." That is, the backup copy is 
not a precise "snapshot" of the state of a 
dataset/data base at a single point in time. Rather, 
. a log comprises an event file requiring further pro- 
cessing against the database. 

20 A co-pending European Patent Application Serial 
No. EP 90307839.27 illustrates backup in a batch 
mode system utilizing a modified incremental poli- 
cy. A modified incremental policy copies only new 
data or data updates since the last backup. It 

25 should be noted that execution of applications with- 
in the data processing system are suspended dur- 
ing copying in this system. 

As described above, to establish a prior point of 
consistency in a log based system, it is necessary 

30 to "repeat history" by replaying the log from the 
last check point over the datasets or database of 
interest. The distinction between batch mode and 
log based backup is that the backup copy is con- 
sistent and speaks as of the time of its last recor- 

35 dation, whereas the log and database mode require 
further processing in the event of a fault, in order to 
exhibit a point in time consistency. 
United States Patent No. 4,507,751, Gawlick et al., 
entitled Method and Apparatus for Logging Journal 

40 Data Using a Write Ahead Dataset, issued March 
25, 1985, exemplifies a transaction management 
system wherein all transactions are recorded on a 
log on a write-ahead dataset basis. As described 
within this patent, a unit of work is first recorded on 

45 the backup medium (log) and then written to its 
external storage address. 

Co-pending United States Patent Application Serial 
No. 07/524,206, filed May 16, 1990, entitled Meth- 
od and Apparatus for Executing Critical Disk Ac- 

50 cess Commands, teaches the performance of me- 
dia maintenance on selected portions of a tracked 
cyclic operable magnetic media concurrent with 
active access to other portions of the storage me- 
dia. The method described therein requires the 

55 phased movement of customer data between a 
target track to an alternate track, diversion of all 
concurrent access requests to the alternate track or 
tracks and the completion of maintenance and 
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copy back from the alternate to the target track. 
Requests and interrupts which occur prior to ex- 
ecuting track-to-track customer data movement re- 
sult in the restarting of the process. Otherwise, 
requests and interrupts occurring during execution 
of the data movement view a DEVICE BUSY state. 
This typically causes a requeueing of the request, 
Where data base systems support access in an 
interactive mode by a plurality of host data pro- 
cessing systems, a request for generation of a 
backup copy can come from one or more of the 
host data processing systems, or from one or more 
applications running on a single host. The tech- 
niques described above add to the robustness of a 
data base, but do not directly address complica- 
tions faced by a data base server in producing a 
faithful back up copy in the face of the possibility 
of requests from more than source. 
It should therefore be apparent that a need exists 
for a method and system whereby the maximum 
availability of application execution within a data 
processing system is maintained while creating 
backup copies which exhibit a consistent view of 
data within an associated database, as of a specific 
time. 

It is therefore one object of the present inven- 
tion to provide an improved method and system for 
maintaining continued availability of datasets in ex- 
ternal storage associated with accessing data pro- 
cessing systems. 

It is another object of the present invention to 
provide an improved method and system for bac- 
kup copying of data in external storage concurrent 
with continued execution of a plurality of applica- 
tions on several processing units within the data 
processing system that access data. 
It is still another object of the present invention to 
provide an improved method and system for secur- 
ing a backup copying session to a single one of a 
plurality of processing units. ■ 
The invention as claimed relates to a data backup 
copying session on a data processing system 
which is secured responsive to initiation of the data 
backup session by an application executing on a 
processing unit by generating a unique identifier for 
the data backup session. Thereafter, all member 
paths of a group of paths designated by the pro- 
cessing unit for communication between itself and 
the first storage subsystem are identified and asso- 
ciated with the data backup session. Access to the 
session is thereafter allowed only along a member 
path of the group of paths associated with the data 
backup session. 

The system and method of the invention further 
provide for fault recovery and protection against 
excessive demand on storage control unit memory. 
Upon initiation of a data backup copying session, a 
session file in subsystem storage of a storage 



control unit for the data backup session is gen- 
erated. Responsive to a session file exceeding a 
limit in size, the data backup session is terminated. 
The limit imposed is dynamically adjusted as a 

5 function of the number of concurrent data backup 
sessions and the size of the concurrent data bac- 
kup sessions. The session having the session file 
demanding the greatest range in the subsystem 
storage when total subsystem storage demand ex- 

70 ceeds a certain threshold is terminated. 

A variety of fault recovery techniques are provided. 
Responsive to the processing unit resetting all 
member paths of the group of paths designated 
initially by the processing unit, a data backup ses- 

75 sion is terminated. Responsive to reinitialization of 
the processing unit, a data backup session is termi- 
nated. 

The present application is related to PCT Patent 
Application Serial No. PCT/EP92/02127, entitled 
20 "Method and Means for Time Zero Backup Copy- 
ing of Data", filed September 16, 1992. The con- 
tents of the cross-reference PCT Patent Application 
are hereby incorporated herein by reference there- 
to. 

25 The novel features believed characteristic of 

the invention are set forth in the appended claims. 
The invention itself however, as well as a preferred 
mode of use, further objects and advantages there- 
of, will best be understood by reference to the 
30 following detailed description of an illustrative em- 
bodiment when read in conjunction with the accom- 
panying drawings, wherein: 

Figure 1 depicts a typical multiprocessing, multi- 
programming environment according to the prior 
35 art where executing processors and applications 
randomly or sequentially access data from ex- 
ternal storage; 

Figures 2A-2C depict time line illustrations of 
the backup window in a batch or streaming 
40 process in the prior art, in a time zero backup 
system and in an incremental time zero backup 
system, respectively; 

Figure 3 illustrates a conceptual flow of an in- 
cremental time zero backup copy; 

45 Figure 4 is a high level logic flowchart illustrat- 
ing initialization of an incremental time zero bac- 
kup copy and securing of a session of incre- 
mental backup copying in accordance with the 
method and system of the present invention; 

so and 

Figure 5 is a high level logic flowchart illustrat- 
ing incremental backup copying. 
With reference now to the figures and in par- 
ticular with reference to Figure 1 , there is depicted 
55 a multiprocessing, multiprogramming data process- 
ing system according to the prior art. Such sys- 
tems typically include a plurality of processor units 
1 and 3 which access external storage units 21, 23, 
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25, 27, and 29 over redundant channel 
demand/response interfaces 5, 7 and 9. 
The illustrated embodiment in Figure 1 may be 
provided in which each processor within the data 
processing system is implemented utilizing an 
IBM/360 or 370 architected processor type having, 
as an example, an IBM MVS operating system. An 
IBM/360 architected processor is fully described in 
Amdahl et al„ U.S. Patent No. 3,400,371, entitled 
"Data Processing System", issued on September 
3, 1968. A configuration in which multiple proces- 
sors share access to external storage units is set 
forth in Luiz et al. ( U.S. Patent No. 4,207,609, 
entitled "Path Independent Device Reservation and 
Reconnection in a Multi-CPU and Shared Device 
Access System", issued January 10, 1980. 
The MVS operating system is also described in 
IBM Publication GC28-1150, entitled 
"MVS/Extended Architecture System Programming 
Library: System Macros and Facilities", Vol. 1. De- 
tails of standard MVS or other operating system 
services, such as local lock management, sub- 
system invocation by interrupt or monitor, and the 
posting and waiting of tasks is omitted. These 
operating systems services are believed to be well 
known to those having skill in this art. 
Still referring to Figure 1, as described in U.S. 
patent No. 4,207,609, a processor process may 
select from one or more paths previously estab- 
lished by the processor to externally stored data in 
an IBM System 370 or similar system through an 
MVS or other known operating system by invoking 
a START I/O, transferring control to a channel 
subsystem which reserves a path to the data over 
which transfers are made. Typically, executing ap- 
plications have data dependencies and may briefly 
suspend operations until a fetch or update has 
been completed. During such a transfer, the path is 
locked until the transfer is completed. 
Referring now to Figures 2A-2C, there are depicted 
time lines illustrating the backup window in a batch 
or streaming process in the prior art, in a time zero 
backup system and in an incremental time zero 
backup system respectively. As illustrated at Figure 
2A t multiple backup operations have occurred, as 
indicated at backup windows 41 and 43. Applica- 
tion processing is typically suspended or shut 
down just prior to each backup window and this 
suspension will persist until the backup process 
has been completed. Termination of the backup 
window signifies completion of the backup process 
and commitment. By "completion" what is meant is 
that all data that was to have been copied was in 
fact read from the source. By "commitment" what 
is meant is that all data to be copied was in fact 
written to an alternate storage location. 
Referring now to Figure 2B, backup windows for a 
time zero backup copy system are depicted. As 



described in detail within the co-pending cross- 
referenced PCT patent application, each backup 
window 45 and 47 still requires the suspension or 
termination of application processing; however, the 

5 suspension or termination occurs only for a very 
short period of time. As described in the cross- 
referenced application, the time zero backup meth- 
od begins, effectively freezing data within the data- 
sets to be backed up at that point in time. There- 

10 after, a bit map is created identifying each track 
within the datasets to be backed up and after 
creation of that bit map, the copy is said to be 
"logically complete". The committed state, or 
"physically complete" state will not occur until 

75 some time later. However, at the "logically com- 
plete" point in time, the data is completely usable 
by applications within the data processing system. 
. The time during which application processing is 
suspended in such a system is generally in the low 

20 sub-second range; however, those skilled in the art 
will appreciate that the amount of time required to 
create a bit map to the data to be copied will 
depend upon the amount of data within the data- 
sets. Of course, those skilled in the art will appre- 

25 ciate that if the time zero backup process termi- 
nates abnormally between the point of logical com- 
pletion and the point of physical completion, the 
backup copy is no longer useful and the process 
must be restarted. In this respect, the time zero 

30 backup process is vulnerable in a manner very 
similar to that of backup systems in the prior art. 
That is, all backup operations must be rerun if the 
process terminates abnormally prior to completion. 
Recovery from abnormal termination must also ad- 

35 dress security aspects of the backup procedure. 
Referring now to Figure 2C, the incremental time 
zero backup copying process is depicted. As 
above, an initial backup window 49 exists which 
requires a temporary suspension or termination of 

40 application processing; however, in a manner which 
will be explained in greater detail herein, updates 
to the dataset which occur after the initial backup 
copy has begun are tracked utilizing an alternate 
bit map of the designated dataset. Thereafter, only 

45 those tracks within the designated dataset which 
have been altered are copied during a subsequent 
incremental copy session. Since the creation of a 
bit map identifying those tracks within the dataset 
which have been updated since a previous full 

50 copy has been completed occurs during the up- 
date process, application processing need not be 
suspended until the next time a full copy is de- 
sired. In this manner, suspension or interruption of 
application processing is substantially reduced. 

55 With reference now to Figure 3, there is depicted a 
conceptual flow of the creation of an incremental 
time zero backup copy in accordance with the 
method and system of the present invention. As 
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illustrated, a incremental time zero backup copy of 
data within a tracked cyclic storage device 61 may 
be created. As those skilled in the art will appre- 
ciate, data stored within such a device is typically 
organized into records and datasets. The real ad- 5 
dress of data within external storage is generally 
expressed in terms of Direct Access Storage De- 
vice (DASD) volumes; cylinders and tracks. The 
virtual address of such data is generally couched in 
terms of base addresses and offsets and/or extents w 
from such base addresses. Further, a record may 
be of the count-key-data format. A record may 
occupy one or more units of real storage. A 
"dataset" is a logical collection of multiple records 
which may be stored on contiguous units of real 75 
storage or which may be dispersed. Therefore, 
those skilled in the art will appreciate that if backup 
copies are created at the dataset level it will be 
necessary to perform multiple sorts to form in- 
verted indices into real storage. For purposes of 20 
explanation of this invention, backup processing 
will be described as managed both at the resource 
manager level within a data processing system and 
at the storage control unit level. As described 
above, each processor typically includes an operat- 25 
ing system which includes a resource manager 
component. Typically, an IBM System 370 type 
processor running under the MVS operating sys- 
tem will include a resource manager of the data 
facilities dataset services (DFDSS) type which is 30 
described in U.S. Patent No. 4,855,907, Ferro et 
al., issued August 8. 1989, entitled "Method for 
Moving VSAM Base Clusters While Maintaining 
Alternate Indices Into the Cluster". DFDSS is also 
described in IBM Publication GC26-4388, entitled 35 
"Data Facility Dataset Services: User's Guide". 
Thus, a resource manager 63 is utilized in conjunc- 
tion with a storage control unit 65 to create an 
incremental backup copy of designated datasets 
stored within tracked cyclic storage device 61. As ao 
will be described below, the backup copy process 
includes an initialization period during which data- 
sets are sorted, one or more bit maps are created 
and logical completion of the bit map is signaled to 
the invoking process at the processor. The backup 45 
copy process is also secured to the host process- 
ing unit on which the initiating process is executing. 
The listed or identified datasets are then sorted 
according to access path elements down to DASD 
track granularity. Next, bit maps are constructed 50 
which correlate the dataset and the access path 
insofar as any one of them is included or excluded 
from a given copy session. Lastly, resource man- 
ager 63 signals logical completion, indicating that 
updates will be processed against the dataset only 55 
after a short delay until such time as physical 
completion occurs. 



Following initialization, resource manager 63 
begins reading the tracks of data which have been 
requested. While a copy session is active, each 
storage control unit monitors all updates to the 
dataset. If an update is received from another ap- 
plication 67, storage control unit 65 will execute a 
predetermined algorithm to process that update, as 
described below. Access to the session is however, 
limited along paths owned by the initiating process- 
ing unit. In a time zero backup copy system a 
determination is first made as to whether or not the 
update attempted by application 67 is for a volume 
which is not within the current copy session. If the 
volume is not within the current copy session, the 
update completes normally. Alternately, if the up- 
date is for a volume which is part of the copy 
session, the primary session bit map is checked to 
see if that track is protected. If the corresponding 
bit within the bit map indicates the track is not 
currently within a copy session (e.g. the bit is off), 
the update completes normally. However, if the 
track is protected (e.g. the bit is on) the track in 
question is part of the copy session and has not as 
yet been read by resource manager 63. In such a 
case, storage control unit 65 temporarily buffers or 
defers the update and writes a copy of the affected 
track from tracked cyclic storage device 61 into a 
memory 66 within storage control unit 65. There- 
after, the update is permitted to complete. 
Thus, as illustrated in Figure 3, an update initiated 
by application 67 may be processed through stor- 
age control unit 65 to update data at tracks 3 and 5 
within tracked cyclic storage unit 61 . Prior to per- 
mitting the update to occur, tracks 3 and 5 are 
written as sidefiles to memory 66 within storage 
control unit 65 and thereafter, the update is permit- 
ted to complete, the primary bit map is then 
altered to indicate that the copies of tracks 3 and 5, 
as those tracks existed at the time a backup copy 
was requested, are no longer within tracked cyclic 
storage device 61 but now reside within memory 
66 within storage control unit 65. 
A merged copy, representing the designated data- 
set as of the time a backup copy was requested, is 
then created at reference numeral 69, by copying 
non-updated tracks directly from tracked cyclic 
storage device 61 through resource manager 63, or 
by indirectly copying those tracks from tracked 
cyclic storage device 61 to a temporary host 
sidefile 71, which may be created within the ex- 
panded memory store of a host processor. Addi- 
tionally, tracks within the dataset which have been 
written to sidefiles within memory 66 in storage 
control unit 65 prior to completion of an update 
may also be indirectly read from memory 66 within 
storage control unit 65 to the temporary host 
sidefile 71. Those skilled in the art will appreciate 
that in this manner a copy of a designated dataset 
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may be created from unaltered tracks within 
tracked cyclic storage device 61 , from pre-updated 
tracks stored within memory 66 of storage control 
unit 65 and thereafter transferred to temporary host 
sidefile 71, wherein these portions of the des- 
ignated dataset may be merged in backup copy 
order, utilizing the bit map which was created at 
the time the backup copy was initiated. 
Referring now to Figure 4, there is depicted a high 
level logic flowchart which illustrates the initializa- 
tion of a process for creating an incremental time 
zero backup copy, in accordance with the method 
and system of the present invention. As illustrated, 
this process starts at block 81. Block 82 returns a 
list of available session IDs to a processor unit 
upon request. Thereafter the process passes to 
block 83 which illustrates the beginning of the 
initialization process. Thereafter, the process 
passes to block 85 which depicts the sorting of the 
datasets by access path, down to DASD track 
granularity. This sorting process will, necessarily, 
resolve an identification of the DASD volumes with- 
in which the datasets reside and the identification 
of the storage control units to which those volumes 
belong. 

Next, as depicted at block 87, a session identifica- 
tion is established between each processor and the 
relevant external storage control units. The session 
identification is preferably unique across all storage 
control units, in order that multiple processors will 
not interfere with each others' backup copy pro- 
cesses. Thereafter, as illustrated at block 89, a 
primary session bit map is established which may 
be utilized, as set forth in detail herein and within 
the cross-referenced patent application, to indicate 
whether or not a particular track is part of the 
present copy session. Thereafter, as depicted at 
block 91, the "logically complete" signal is sent to 
the invoking process, indicating that application 
processing may continue; however, slight delays in 
updates will occur until such time as the backup 
copy is physically complete. Security aspects of 
the process are invoked as required. 
Securing of the data backup session begins with 
execution of step 133, which is executed to locate 
all paths between the host processing unit of the 
initiating application and the external storage units 
of the data processing system. A path group iden- 
tification is unique to a host even across a multiple 
processing unit data processing system. Next, at 
step 135 the session ID is associated with the 
group of paths located in step 133. The session ID 
is utilized as a tag for all acceptable paths for 
access to the session. Thereafter, as indicated with 
step 137, access to the data backup copying ses- 
sion on any path but those paths associated with 
session ID is blocked. 

The system and method of the present invention 



further provide protection against excessive com- 
mitment of storage control unit memory 66. As 
described above, each data backup copying ses- 
sion has a dedicated session sidefile in storage 

5 control unit memory. The extent of memory com- 
mitment is monitored by time zero resource man- 
ager 63, which returns, among other measures, a 
variable indicating the extent of maximum memory 
utilization. This threshold is set for the sidefile as a 

w whole. . When the session sidefiles exceed the 
threshold level of total memory capacity (step 139), 
the session sidefile occupying the greatest number 
of tracks is identified to its host (step 140). If the 
host does not respond by removing sufficient data 

75 within a time out period (step 141), notification is 
given of suspension of the session (step 142). 
Suspension or disestablishment of a session is 
■ essentially termination except that the session ID 
does not become available for reassignment. Step 

20 143 illustrates that the session ID is not returned to 
the available list notwithstanding suspension of the 
session (step 145). This allows the host processing 
unit to perform housecleaning functions relating to 
session termination without another host claiming 

25 the session ID, thereby raising possible conflict 
with the just terminated host. Step 159 indicates 
the end of the process supporting the suspended 
session. 

Step 147 relates to identification of problems origi- 

30 nating with the host which force suspension of a 
data backup copying session. Since communica- 
tion with the session must occur over certain pre- 
viously identified paths, should the host data pro- 
cessing system reset its paths (step 147), the com- 

35 munication paths into the session would no longer 
be associated with the processing unit which ini- 
tiated the session. This would constitute a breach 
in security. The storage control unit will hold iden- 
tification of the sessions for possible interrogation 

40 by the host attendant to housecleaning tasks (step 
151) and terminate all sessions initiated by the host 
(step 153). If a processing unit engages in an initial 
program load, it may interrogate a storage control 
unit for the sessions it owns to reinitiate its ses- 

45 sions or terminate them, depending upon the cir- 
cumstances of the load. 

The host must be able to determine that it has lost 
a backup operation notwithstanding its temporary 
unavailability. Only a host processing unit is al- 
so lowed to explicitly terminate a session to avoid the 
possibility that two hosts may "own" one session 
ID. 

Step 155 illustrates that monitoring for memory 
overload conditions or host difficulties continues for 
55 the duration of the process of physically backing 
up data. After a backup is completed, a session is 
terminated (step 157). 

A backup session can fail as a result of temporary 

6 
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loss of the storage control unit. Such occurrences 
cannot be conveniently expressed in a flow chart 
relating operation of a storage control unit. In most 
cases of storage control unit failure, the host pro- 
cessing unit will detect the occurrence by the con- 
dition of pack change interrupts and reset notifica- 
tions when it initiates an input/output operation to 
the storage control unit subsequent to an initial 
microcode load of the unit. 

A host processing unit has additional security func- 
tions. The processing unit allows only privileged 
applications to engage time zero backup oper- 
ations. This is done by classifying the time zero 
command set as privileged, limiting its access to 
approved application programs only. 
With reference now to Figure 5. there is depicted a 
high level logic flowchart which illustrates the in- 
cremental backup copying of a dataset in accor- 
dance with the method and system of the present 
invention. As illustrated, the process begins at 
block 99 and thereafter passes to block 101. Block 
101 depicts the beginning of the reading of a 
backup copy. The process then passes to block 
103 which illustrates a determination of whether or 
not the backup copy is to be a "FULL" copy or a 
"INCREMENTAL" copy. As described above, a 
FULL copy is a copy of each element within a 
designated dataset, regardless of whether or not 
the data within the dataset has been previously 
altered. An INCREMENTAL copy is a copy which 
only includes those portions of the dataset which 
have been updated or altered since the previous 
backup copy occurred. 

Still referring to block 103, in the event a FULL 
copy is to be created, the process passes to block 
107 which depicts the establishment of an alternate 
session bit map. As will be described in greater 
detail herein, an alternate session bit map is uti- 
lized to track alterations or updates to portions of 
the designated dataset which occur after the initi- 
ation of a previous backup copy, such that an 
INCREMENTAL copy of only those portions of the 
dataset which have been altered may be created at 
a subsequent time. Alternately, in the event an 
INCREMENTAL copy is to be created, the process 
passes from block 103 to block 105, which illus- 
trates the changing of the designation of the al- 
ternate session bit map to that of the primary 
session bit map, and the process then passes to 
block 107, which again illustrates the establishment 
of an alternate session bit map. 
Thus, upon the initiation of a FULL backup copy, 
an alternate session bit map is created to track 
changes to the dataset which occur after the initi- 
ation of the full copy. Thereafter, if an INCRE- 
MENTAL copy is to be created, the previously 
established alternate session bit map is utilized as 
the primary session bit map and a new alternate 



session bit map is created to permit the system to 
track changes to the data within the dataset which 
occur after the initiation of the INCREMENTAL 
copy. 

5 Next, block 109 illustrates a determination of 
whether or not an update has occurred. In the 
event no update has occurred, the process merely 
iterates until such time as an update does occur. In 
the event an update has occurred, the process 

w passes to block 111. Block 111 illustrates a deter- 
mination of whether or not the update initiated by 
an application within the data processing system is 
an update against a portion of the time zero data- 
set. If not, the process merely passes to block 113 

75 and the update is processed in a user transparent 
fashion. However, in the event the update is against 
a portion of the time zero dataset, the process 
passes to block 115. 

Block 115 illustrates a determination of whether or 
20 not the update is against a copied or uncopied 
portion of the time zero dataset. That is, an update 
to a portion of data within the dataset which has 
been copied to the backup copy and is therefore 
physically complete, or a portion which has not yet 
25 been copied to the backup copy. If the portion of 
the dataset against which the update is initiated 
has already been copied to the backup copy, the 
process passes to block 117 which illustrates the 
marking of the alternate session bit map, to in- 
30 dicate that this portion of the dataset has been 
altered since the previous backup copy was ini- 
tiated. 

Thereafter, the process passes to block 113 which 
illustrate the processing of the update. Again, the 

35 process then passes from block 113 to block 109, 
to await the occurrence of the next update. Refer- 
ring again to block 115, in the event the update 
against the time zero dataset is initiated against a 
portion of the time zero dataset which has not yet 

40 been copied to the backup copy, the process 
passes to block 119. Block 119 illustrates the tem- 
porary buffering of the update and the copying of 
the affected portion of the time zero dataset to a 
sidefile within memory 66 within the storage control 

45 unit 65 (see Figure 3). Thereafter, the process 
passes to block 121, which illustrates the marking 
of the alternate session bit map to indicate that an 
update has occurred with respect to this portion of 
the dataset since the initiation of the previous bac- 

50 kup copy. 

Next, the process passes to block 123, which illus- 
trates the marking of the primary session bit map, 
indicating to the resource manager that this portion 
of the dataset has been updated within the external 

55 storage subsystem and that the time zero copy of 
this portion of the dataset is now either within 
subsystem storage 66 within storage control unit 65 
or within temporary host sidefile 71 which is uti- 
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lized to prevent overflow of data within subsystem 
storage 66 within storage control unit 65 (see Fig- 
ure 3). 

After marking the primary session bit map, the 
process passes to block 125 which illustrates the 5 
processing of that update. Thereafter, the process 
passes to block 127 which depicts a determination 
of whether or not the sidefile threshold within the 
subsystem storage 66 of storage control unit 65 
has been exceeded. If so, the process passes to io 
block 129, which illustrates the generation of an 
attention signal, indicating that sidefiles within the 
storage control unit are ready to be copied by the 
processor. Of course, those skilled in the art will 
appreciate that a failure to copy data from the 75 
subsystem storage within storage control unit 65 
may result in the corruption of the backup copy if 
that memory is overwritten. Referring again to 
block 127, in the event the sidefile threshold has 
not been exceeded, the process returns again to 20 
block 109 to await the occurrence of the next 
update. 

The asynchronous copying of sidefile data from 
subsystem storage 66 within storage control unit 65 
to temporary host sidefile 71, or to the merged 25 
backup copy, is described in detail within the 
cross-referenced patent application, as well as the 
process by which merged copies are created which 
incorporate data read directly from tracked cyclic 
storage unit 61, data within subsystem storage 66 30 
within storage control unit 65 and/or data within 
temporary host sidefile 71 . Thus, upon reference to 
the foregoing those skilled in the art will appreciate 
that by initiating a time zero backup copy the 
suspension of application execution which normally 35 
accompanies a backup copy session is substan- 
tially reduced by the expedient of creating a bit 
map identifying each portion of data within the 
designated dataset to be updated and thereafter 
releasing the dataset for application execution. Por- ao 
tions of the designated dataset within the external 
storage subsystem are then copied on an opportu- 
nistic or scheduled basis and attempted updates to 
the data contained therein are deferred temporarily, 
until such time as the original data, as it existed as 45 
of the time of the backup copy, may be written to a 
sidefile for inclusion within the completed backup 
copy. Thereafter, the updates are written to the 
data within the external storage subsystem 66. 
Contamination of the data sets is prevented by so 
securing the data backup copying process. 

Claims 

1. A method in a data processing system of se- 55 
curing backup copying of designated datasets 
stored within at least a first storage subsystem 
connected to the data processing system by a 



storage control unit (65) against interference 
from contemporaneously executing applica- 
tions (67) within one or more processing units 
of the data processing system, the method 
comprising the steps of: 

responsive to initiation of a data backup 
session by an application executing on a pro- 
cessing unit, generating a unique identifier for 
the data backup session; 

determining all member paths of a group 
of paths designated by the processing unit for 
communication between itself and the first 
storage subsystem; 

associating the data backup session with 
the group of paths; and 

allowing access to the session only along 
a member path of the group of paths asso- 
ciated with the data backup session. 

2. A method in a data processing system of se- 
curing backup copying of designated datasets 
stored within at least a first storage subsystem 
connected to the data processing system by a 
storage control unit (65) against interference 
from contemporaneously executing applica- 
tions (67) within one or more processing units 
of the data processing system as claimed in 
Claim 1, the method comprising the further 
steps of: 

generating a session file in subsystem 
storage (66) of a storage control unit (65) for 
the data backup session; and 

responsive to a session file exceeding a 
limit in size, terminating the data backup ses- 
sion. 

3. A method in a data processing system of se- 
curing backup copying of designated datasets 
stored within at least a first storage subsystem 
connected to the data processing system by a 
storage control unit (65) against interference 
from contemporaneously executing applica- 
tions (67) within one or more processing units 
of the data processing system as claimed in 
Claim 2, wherein said limit is dynamically ad- 
justed as a function of the number of concur- 
rent data backup sessions and the size of the 
concurrent data backup sessions. 

4. A method in a data processing system of se- 
curing backup copying of designated datasets 
stored within at least a first storage subsystem 
connected to the data processing system by a 
storage control unit (65) against interference 
from contemporaneously executing applica- 
tions (67) within one or more processing units 
of the data processing system as claimed in 
Claim 1, the method comprising the further 
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step of: 

responsive to the processing unit resetting 
all member paths of the group of paths des- 
ignated initially by the processing unit, termi- 
nating the data backup session. 5 

5. A method in a data processing system of se- 
curing backup copying of designated datasets 
stored within at least a first storage subsystem 
connected to the data prqcessing system by a w 
storage control unit (65) against interference 
from contemporaneously executing applica- 
tions (67) within one or more processing units 

of the data processing system as claimed in 
Claim 1, the method comprising the further 75 
step of: 

responsive to reinitialization of the pro- 
cessing unit, terminating the data backup ses- 
sion. 

20 

6. A method in a data processing system of se- 
curing backup copying of designated datasets 
stored within at least a first storage subsystem 
connected to the data processing system by a 
storage control unit (65) against interference 25 
from contemporaneously executing applica- 
tions (67) within one or more processing units 

of the data processing system as claimed in 
Claim 1, the method comprising the further 
step of: 30 

notifying the processing unit of a 
reinitialization of the storage control unit (65). 

7. A method in a data processing system of se- 
curing backup copying of designated datasets 35 
stored within at least a first storage subsystem 
connected to the data processing system by a 
storage control unit (65) against interference 
from contemporaneously executing applica- 
tions (67) within one or more processing units 40 
of the data processing system as claimed in 
Claim 1, the method comprising the further 
step of: 

responsive to inquiry by a processing unit, 
returning a list of available data backup ses- 45 
sion identifiers to the processing unit. 

8. A data processing system for securing data 
backup copying of datasets designated by an 
application executing on a processing unit of 50 
the data processing system and stored within 

at least a first storage subsystem (61 , 65), the 
backup copying occurring during concurrent 
execution of other applications (67) on one or 
more processing units of the data processing 55 
system, comprising: 

means responsive to initiation of a data 
backup session by an application executing on 



a processing unit for generating a unique iden- 
tifier for said data backup session; 

means for determining all member paths 
of a group of paths designated by the process- 
ing unit for communication between itself and 
said first storage subsystem; 

means for associating the data backup 
session with the group of paths; and 

means for blocking access to said data 
backup session along a path not belonging to 
the group of paths associated with said data 
backup session. 

9. A data processing system for securing data 
backup copying of datasets designated by an 
application executing on a processing unit of 
the data processing system and stored within 
at least a first storage subsystem, the backup 
copying occurring during concurrent execution 
of other applications (67) on one or more pro- 
cessing units of the data processing system as 
claimed in Claim 8, further comprising: 

means for generating a session file in sub- 
system storage (66) of a storage control unit 
(65) for said data backup session; 

means for determining if said session file 
exceeds a limit in size; and 

means responsive to a session file ex- 
ceeding said limit in size for terminating said 
data backup session. 

10. A data processing system for securing data 
backup copying of datasets designated by an 
application executing on a processing unit of 
the data processing system and stored within 
at least a first storage subsystem, the backup 
copying occurring during concurrent execution 
of other applications (67) on one or more pro- 
cessing units of the data processing system as 
claimed in Claim 9, further comprising means 
for dynamically adjusting said limit as the func- 
tion of a number of concurrent data backup 
sessions and the size of the concurrent data 
backup sessions. 

11. A data processing system for securing data 
backup copying of datasets designated by an 
application executing on a processing unit of 
the data processing system and stored within 
at least a first storage subsystem, the backup 
copying occurring during concurrent execution 
of other applications (67) on one or more pro- 
cessing units of the data processing system as 
claimed in Claim 8, further comprising: 

means responsive to the processing unit 
resetting all member paths of the group of 
paths designated initially by the processing 
unit for terminating said data backup session. 
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12. A data processing system for securing data 
backup copying of datasets designated by an 
application executing on a processing unit of 
the data processing system and stored within 

at least a first storage subsystem, the backup 5 
copying occurring during concurrent execution 
of other applications (67) on one or more pro- 
cessing units of the data processing system as 
claimed in Claim 8, further comprising: 

means responsive to reinitialization of said io 
processing unit for terminating said data bac- 
kup session. 

13. A data processing system for securing data 
backup copying of datasets designated by an 75 
application executing on a processing unit of 

the data processing system and stored within 
at least a first storage subsystem, the backup 
copying occurring during concurrent execution 
of other applications (67) on one or more pro- 20 
cessing units of the data processing system as 
claimed in Claim 8, further comprising: 

means for notifying the processing unit of 
a reinitialization of the storage control unit (65). 

25 

14. A data processing system for securing data 
backup copying of datasets designated by an 
application executing on a processing unit of 
the data processing system and stored within 

at least a first storage subsystem, the backup 30 
copying occurring during concurrent execution 
of other applications (67) on one or more pro- 
cessing units of the data processing system as 
claimed in Claim 8, further comprising: 

means responsive to inquiry by a process- 35 
ing unit for returning a list of available data 
backup session identifiers to the processing 
unit. 
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cessing system is secured responsive to initiation of 
the data backup session by an application executing 
on a processing unit by generating a unique iden- 
tifier for the data backup session. Thereafter, all 
member paths of a group of paths designated by the 
processing unit for communication between itself 
and the first storage subsystem are identified and 
associated with the data backup session. Access to 
the session is thereafter allowed only along a mem- 
ber path of the group of paths associated with the 
data backup session. The system and method fur- 
ther provide for fault recovery and protection against 
excessive demand on storage control unit memory. 
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